SSL/TLS encrypts at transport level; WS-Security encrypts at
message level. SSL/TLS provides in-transit security only. This
means that the request is only encrypted while it is travelling from client to
server (or back). ... WS-Security maintains the
encryption until the moment when the request is processed. SSL/TLS
secure messages at HTTP level whereas WS-Security at XML level. In performance-wise SSL is very much
faster than WS-Security.
Please note that
REST-based WebServices inherits
security measures from the underlying transport level security.
Limitation with SSL/TLS
1. SSL/TLS is at point-to-point whereas
WS-Security is at end-to-end, where multiple intermediary nodes
(WebServers, Load balancer, proxy server etc) could exist between the two
endpoints.
2. SSL/TLS does not provide
Know-Your-Customer (KYC) whereas WS-Security provides this feature.
3. SSL does not provide element-wise signing and encryption.
For example, if you have a large purchase order XML document, yet you want to
only sign or encrypt a credit card element, signing or encrypting only that
element with SSL proves rather difficult. Again, that is due to the fact that
SSL is a transport-level security scheme as opposed to a message-level scheme.
We can configure transport
level security and message level security without configuring SSL/TLS at server level then you need to
configure SSL/TLS WSM policy at WebService level for example
